What disclosures must a business provide to consumers?
Businesses subject to CCPA / CPRA must provide transparent and accessible notices that explain how personal data is handled.
You must publish a Privacy Policy that clearly explains:
The categories of personal information collected
The sources of that information
The business or commercial purposes for collecting, selling or sharing data
The rights available to consumers
How consumers can submit requests
Accessibility for people with disabilities
You must also provide a Notice at Collection at or before the point of data collection, specifying:
Categories of personal information and sensitive personal information
The purpose for collection
Whether data is sold or shared
If you sell or share personal data, you must display a Notice of Right to Opt-Out of Sale or Sharing or provide an Alternative Opt-Out Link.
If you use sensitive personal data beyond authorized purposes, you must display a Notice of Right to Limit.
If you offer financial incentives for personal data (such as discounts or benefits), you must publish a Notice of Financial Incentive explaining the value of the data and the terms.
How must businesses handle opt-out requests and what are “dark patterns”?
You must provide at least two ways for consumers to opt out of the sale or sharing of their data.
Provide methods such as:
If you receive a compliant opt-out signal, you must process it for the device or browser transmitting the signal.
You must also avoid using dark patterns, which are interface designs that manipulate users into making choices they would not otherwise make.
Non-compliant behaviors include:
Making opt-out harder than consent
Offering “Accept All” without a visible “Decline All”
Using double negatives
Adding unnecessary steps to refuse consent
A compliant design offers symmetrical and intuitive choices.
How must businesses handle sensitive personal information?
Sensitive Personal Information (SPI) includes data such as precise geolocation, racial or ethnic origin, biometric identifiers, and genetic data.
Consumers have a Right to Limit how SPI is used or disclosed.
You must provide two ways to submit limitation requests and must not require identity verification.
You do not need to offer this right if your use of SPI is limited to:
Providing requested services
Preventing security incidents
Detecting fraud
Protecting safety
Short-term, limited internal use
If SPI is not used to infer personal characteristics, the right to limit does not apply.
What are the response deadlines for consumer requests?
After receiving a consumer request:
Acknowledge receipt within 10 business days
Respond fully within 45 calendar days
You may extend once by up to 45 additional days (with explanation)
Opt-out requests must be completed within 15 business days
When is identity verification required?
Verification is required for:
Verification is not required for:
Opt-out requests
Right to limit requests
Opt-out of ADMT
Verification standards:
More sensitive data requires stronger verification.
When are cybersecurity audits and risk assessments required?
You must conduct a risk assessment before engaging in:
Sale or sharing of personal data
Processing sensitive personal data
Use of Automated Decision-Making Technology (ADMT)
Training AI models for significant consumer decisions
Monitoring in sensitive locations
Risk assessments must be reviewed:
A cybersecurity audit is required if:
You meet revenue thresholds, or
You processed personal data for 250,000+ consumers, or
You processed sensitive personal data for 50,000+ consumers
Audits must be conducted by a qualified and independent professional.
After completion, you must submit a written certification to the California Privacy Protection Agency.
